Rise up against Mediocrity

Submitted by Mike Rothman on Mon, 2008-09-08 08:42.

A few folks (Emergent Chaos, Risk Analys.is) pointed to probably the best Dilbert I've seen in a long time. A lot are funny, but this one really struck home.

When people asked me what I did for a living for a long time my standard response was: "Fight against mediocrity." And that's kind of how I fancied myself. A crusader against all lameness. Someone who wouldn't just accept "that how we do it," when doing it that way was just stupid.

Part of it is naive idealism. Another part is actually wanting to make a difference.

But over time, you get beaten down. Many incentive systems reward for mediocrity. For doing just enough. And if you consistently don't get rewarded for going the extra mile, after a while you'll stop. No one is so self-motivated that they outperform their peers and blast expectations for an extended period of time without some kind of reward and recognition.

That's why I think change is so important. Changing what you do, maybe who you do it for, what your goals and aspirations are, who you hang out with - anytime you start to feel stale. Stale = mediocre.

We in the security business are particularly guilty of accepting mediocrity. Our brand of mediocrity flies buy under the term compliance, which are basically the best practices that we should adopt - or have our executive officers suffer the mythical perp walks.

One of the things I mention in the P-CSO is the importance of thinking differently and not doing what everyone else is doing from a defense standpoint. Dilbert makes the risk of the lowest common denominator approach abundantly clear. If you do what everyone else does, then your adversaries know what that is, thus THEY KNOW HOW TO BEAT YOU.

I love those old movies like "Home Alone," where the bad guys stumble and bumble into every trap. The little kid set a bunch of non-traditional traps and the bad guys didn't know what to do about it. That's exactly how we need to start thinking about computer security as well. As fun as it would be to spray a hacker with honey and then dump them into a pile of feathers, we need to find the digital equivalent of that.

That's why I continue to beat the drum for Security FIRST! as a mantra. If you do security correctly, then I'm pretty confident you won't have much trouble with compliance.

It's too easy just to push the compliance button and figure everything will be OK. To figure that compliance is the end goal, the finish line. Folks we work in security, THERE IS NO FINISH LINE. Compliance is the lowest common denominator. It's something that everyone is doing (or should be doing) and it represents mediocrity.

And who wants to go through life settling for mediocrity?

Photo: "mediocrity" courtesy of Despair, Inc.

Submitted by Christian (not verified) on Mon, 2008-09-08 20:56.

Great post mate! I couldn't agree with you more. I'm finding myself in a bind at the moment because it's quite visible just how much upper management are pushing for mediocrity across the board. It makes work just that much more painful.

Inspiring post.

Submitted by Daniel Philpott (not verified) on Wed, 2008-09-10 11:31.

Compliance is not mediocrity.  

Compliance is a baseline.  

Compliance does not mean, "Do this and nothing else."

Compliance means, "Do this to knock out the obvious problems so you can focus on the rest."

Compliance should never be static.

Compliance should be measured against a regularly updated baseline reflecting how to best deal with the obvious problems. 

Compliance is not the shiny nickel, flashy bling, zero day, k-kewl h4xx0r, kneejerk reaction version of security.

Compliance is the steady gait that lets you sprint the last 100 meters. 

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.